 Hey everyone, it's Jim How are you? Hello, Jim doing good. Hope you are too Yep, thank you. Hi everyone Hey, yeah, I think we had ours on but he Drop probably rejoining Gus I don't recall You on our previous calls. Are you with the same team as Jaya and Oz and others or with a different team? Yes, I was Actually the last call was my first one and Okay on Jaya's team. That's right. Great. Nice to meet you Thanks. Nice to meet you too. All right. So I'm not sure if Here's Robert's joining not sure if Erica is and As she set up the meeting for us, but not sure if she's able to make it so we can Get started in a minute or so if she's not here, okay So I know there were some comments on the document itself maybe we can just quickly browse through those and see if there's some Work discussing and then we look at so I have the CRD's drafted and and just a very simple example we can look at inside a cluster and We can talk about you know next steps and what we need to do to get the like a And then get this into the repo. All right. So let me share my screen. I'll just pull up the dock Anybody needs to link. I'll also paste that in the chat for us. Yep See there it is Okay So let's just go back up top and see what's left to be addressed So I think Robert this was a comment that you had added do you want to kind of walk us through It's kind of hard to see Events yeah, I think I was just commenting on the Definition of where state lies so state of the underlying system or state of the violation What so I think this is more commentary than a particular Okay suggestion Okay, so it's kind of on a small phone screen Okay Okay, yeah, it's just kind of scanning through it. Yeah, it's talking about state transitions and I guess the idea is to record Some of these states right so you're we're interested in policy results obviously as a state Okay, that's fine Then I think we were Talking about audit logs and also I think Robert this one's from you too. It's just talking about the audit logs server different purpose. That's correct Yeah, so I think the idea We shouldn't we shouldn't be Intertwining policy results with an audit log. I think right and right in some sense. Those are totally distinct concerns agreed here, I guess I was trying to You know at one point if you recall there was a discussion of should we be using the if there's flexibility or a proposal to provide more flexibility into the Audit policy and allow multiple sources of writing to the audit logs would that make sense to put policy results there, but you know perhaps as just as another Output stream, but I don't think it replaces what we're or it doesn't overlap with having a policy report And I think that's what you were mentioning here, too Yeah, and I think I've probably gone back and forth myself on that and I think I'm back to where you originally were Jim and that As an as a convenient mechanism, I think we were looking at the sig off Opportunity, but when you take a step back and say where does this logically belong for me? It doesn't really belong in the audit log like Okay Sounds good Multi-tenancy that was your next comment Robert Yeah, so that's the interesting one and that's where I think The custom resource we want to allow both that cluster scope as well as namespace scope To make it possible to report Violations for namespace owners if they don't have access to cluster resources So that's one one Provision from multi-tenancy. I don't know if there's any other things we could do And of course if there's sensitive data that we don't want to display then it should be shown at cluster Scope and roll bindings, etc. Need to be configured accordingly Yeah, and that does bring up another issue and that that's a real-world issue and that some of the projects I've been involved with You know you talk about compliance issues the decision logs or you know in this case a policy Violation report if there's sensitive data in there that becomes a problem You know either in terms of you know additional controls that are required around that data or In case of like GDPR and such you know if there's data about a particular user in there And then then how does that work? How do you get rid of it? Yeah, so this of course what we would Want to and perhaps it's worthy of noting somewhere either in documentation or even in comments that proper roll bindings and rolls should be created to access these CRs right because there will be information just like with other cluster information There's potential Data which could you know which could I Guess be considered in a Under privacy laws right like user names and things or even just system names things like that which Maybe said considered sensitive But I don't see it as any different from some of the other data that you would find inside a cluster as long as there's proper roll bindings and access controls seems like that would be the right way to manage that the scope of visibility I Guess the only the only real-world use case. I'll speak to is and again I want to derail the whole topic. So I'll just leave with us, you know You have a case of say you're a media company You're using you know this for your compliance and you're trying to prevent I'm saying the data loss, right? So the compliance violation is a case where Some end users personal information is found in the wrong place If you log that end users personal information in the compliance report or the violation report That then itself propagates the sensitive information and now has to be purged and controlled and what have you right? so that that data there has to be some way I think to Not just roll back our back control over who can see the but what data goes in there It's like right essential that you put that PHI in there or can you actually address the violation without that PHI? Which would be a better less difficult thing to control Andrew, so I'll Off on the tangent, so I'll stop there. No, I think I think this is a very valid comment right Robert I think Maybe like Jim you were saying we need to include some guidelines on the kinds of data that Because there are some free-form fields in the schema right and so putting those guidelines in so that Considerations for GDPR and those kinds of things should be right place right would be important. I agree Okay Yeah, certainly that's something we can add to the docs and enhance and both for multi-tenancy as well as you know just Keeping compliant with the privacy laws. All right Sounds good so the on the structure itself Let's see what this is referencing Yes, so the sentence you write it does talk more about violations so policy report must provide actionable information on current violations for the scope So I thought that was important to call out though because violations and failures are probably one of the primary use case I mean yes, there are potentially others but At least, you know, we want to make sure that if a failure is reported. There's enough information about which object and You know which policy and rule and how to remediate right? Sure, so I guess it's just the action action information is kind of optional it's Well, I guess it's more of a Variant if you will it's if it's if it's a violation it's probably More required, but if it's a in compliance report and it's probably optional, right Yeah, so these seem like, you know, the I guess I'm just making a note these seem like good guidelines for engines, you know to You know we talked about multi-tenancy about privacy And even you know making at least the failures actionable, right? So an admin can knows what to resolve and how to resolve it Okay All right, so then the definition itself See here Yeah, you who's on the call from my team has to drop in a little bit, okay Processes comments first Yes, absolutely. You were there Some in the document you want to call out or yeah here? So the first I put there is basically like how do we want to handle the the the result The result like for example could the current report shows the the latest status the latest result like like What if like we want to so do Do we plan to just generate multiple reports for each execution and Then that represented a history and a trend. Oh, I think I think personally one thing we've kind of after thinking about this over the years is that Kubernetes especially when you're dealing with things in the like resource It's not built to handle a history You it can represent what is going on right now in the cluster in the state And what can be then remedied but any sort of historical analysis needs to be pushed to a different system And we believe Kubernetes and those resources as representing the state of the cluster right now That's kind of more of a thing that is just because of the how Kubernetes You know resources in the model of it rather than something specific to policy That's my stance At CD is not going to work well if you're trying to keep a history Yeah, so certainly and I think there's some balance to be found right where Um, I mean, there are there are examples where some historical data gets stuffed into like metadata and other fields, which Is not always best, but it's you know, it's there Uh, so I think totally agree with what you're saying Erica in terms of Mostly we want to report on current state and guide administrators in terms of what they need to remediate what problems exist However, there's nothing in the cr that prevents, you know, I think for what you is asking if If you want to create some multiple instances and maybe if a policy engine has a retention You know period or something like that Now, obviously this would you know, you would want to say like, okay I'm going to keep maybe the last three instances and do this on a daily basis or something like that So we're not specifying or dictating the period or the retention Over here again, these could be guidances to you know, when we could state what Erica just mentioned that the ideas for Current results, but it makes sense if if the If some upstream management system is let's say retrieving information once every hour You want to make sure at least you've covered like your hours worth of retention, right? So something reasonable like that would would make sense to perhaps Like for example, if you have A policy resort that shows a violation because of some pod that's running something it shouldn't be or whatever And that pod gets deleted Having the policy results Around still that was the violation isn't You know, also it becomes not as useful. It's oh, did you keep the information? What pod? Well, the pod's changed I think the policy result needs to change somewhat in a best case reconciliation loop in a similar way and just like if you do need that kind of audit information of for that pod you need to kind of Have an event stream pushed for the policy results itself it so kind of on a This is what you're to the best effect of the policy engine. This is the state of the cluster, but That makes sense rather than thinking too much about retention. It's this is our best Most recent attempt to give you the state of the cluster in terms of its policy So what do these fields mean? I mean the I see a last execution and execution count Yeah, so that the And this is, you know, something actually that I but I was trying out the Custom resource I went with a different approach because it already has a creation timestamp I removed these fields in the custom resource But the intent was to show when this report was generated So really it was more about a timestamp And the count was if we want to keep a record of how many times the policy Has been scanned or applied On the resources Okay, so because for example in our concept, right? We have a policy controller that will process the policy Against the control and it is it can be configured to run every so often And so if it runs like three times a day, then the execution count will show three and The last execution will be the last time it was executed. Is that is that what it is? That's exactly right. So and and of course if the policy engine Keeps, you know, let's say reports up to one day or one hour or you know in addition to the current Then it would have to the the last Execution or the creation date of the resource would tell us which one's the latest So it will basically create multiple policy report instances, right? It's possible. We're not we're not Preventing that but to Erica's point. I think we should have some guidelines on what on how to get to the most current So it's very easy for admins to see the current state, right? Because that's the main main thing we want to Help yeah Yeah, the reason we we are bringing this up is because we have heard some feedback from customers that they would like to see the historical Sure trend of things so that they can know if something is going wrong, right on there So that Makes sense and I think even We can look at metrics as an example, right? Prometheus inside the cluster typically keeps Some amount of very very limited history, right like 15 minutes or something by default But of course everybody wants metrics for the last month last year So you would push that into a management cluster or some other management Tool offline or that tool will pull the data Through events or through other mechanisms and you can have long-term storage there Okay, I think I think we get the idea and I understand it because comes some end to shut that so I think that brings up a good point like I think we uh Way back a couple years ago moon Uh, we're helping my intern build the container scanning operator thing I think we pushed Prometheus metrics For it and that was like a really cheap way to kind of get a history of The policy violations. I don't know if it still does that. Um, but we could talk about like Standardizing on that like we recommend you push your controller Also pushes these violations to like Prometheus using the same kind of format or something Yeah, yeah, we can we can take that offline and if necessary come bring it back here. Um, because we do have a Observability component that we will be integrating with as well, which is going to be collecting metrics and such so Um, so that's good. Okay Are you I don't know whether you dropped or he's still around. Yeah, I'm I'm still here yet. The other thing is Is it's like, uh, we do want to provide some kind of uh, you are Uh, for example, one use case is like we have a controller that generates That scans image vulnerability and then once there's a vulnerability, it'll generate A custom cr s a crd It is it will be named as As a image shard the shard of the image and in that cr it contains some Detailed information like what vulnerability exists in this in this image But today into in today's report. We only show some summary information like you have Violation you have a you have failed the policy So currently the structure doesn't allow us to provide deep linking into the The details, uh of the violation Right. So so the yeah, there would be a status. Um, and some summary data I think if you need any other Custom data that would you know belong in the data field At least in the structure right now Where you can put any any links any additional information you would require Um, and you can also use for example, if you want to point to a particular part as that source Of course, you can use either the resource Um, or if the vial of the entire report is You know just for one Violation you can use the scope to point to that particular object So there's some flexibility there, but yes It wouldn't it would end up being like just generic data in this map A string string map where you can store additional fields like that Ignore my ignorance on the implementation details, but Architecturally it might be nice to have other Uh components decorate these results with that kind of more detailed information. Is that is that Supported is that a pattern that's used so we know the the policy engine creates a resource Uh for the violation and then some downstream system can can annotate or decorate annotate Is a bad word given them has annotation meaning but add data to the to the fields to enhance the report Wait the first version did use am suggestions. I've been on the pods, but I think one of the things maybe is this brought up somewhere else the problem with for instance the container vulnerability Using you can't put them all in one Policy report right you can't link to every single pod necessarily you might have thousands that are you know have its own vulnerability Uh, so I think that's why you know sometimes you need to then okay Do you create you decide to create one per pod sort of our per image? But then you're trying to aggregate the results up maybe Yeah, this is always a weird one perhaps I'm wondering if in the um Where we link to the resource if we should kind of allow some kind of like Label and selector kind of thing or some other way to gather multiple Resources in a way that doesn't require us to list them out so In it like instead of just having a Data map like provide something like a selector which um, yeah Maybe we need some kind of selectors to select for large numbers of either sub Which also notes that a policy report can refer to other policy reports in its Right Yeah, so there is some there is some room for aggregation here, right? So you can of course you can have results which are referencing different objects and perhaps even different rules If needed right within the within the policy scope So in the case that you was describing if it's an SHA if it's like a shot like uh index or like a hash How would you know, that's not that would not or that's another custom resource in the system So if you want to reference it as a resource here, you could But yeah to your point Erica if you want to you know, just reference All of those right to say that hey, we're we're just Saying that there's more than one Image violation or an image of this type because the same image could be used maybe in multiple pods And you don't want to reference each one separately, but you want to group them Then yeah labels is an interesting idea to just have a selector So in that specific example you are there's some common selectors or labels that that can be applied Um currently the current information for that operator. No, it's basically it's generating multiple CRs it's generally basically just just generate multiple object object of that custom resource Okay, I think the concern here is that Tools that are going to be processing this information right information that is in the data area It's not something that they can count on in the sense that you know, they It's pretty much in a very proprietary right because we are not speccing it out here It's specific to an engine. Yes Right So so I think what we are trying to do here is to say that in the non-data field, which is more Strongly typed even even some of that is optional, but at least it is kind of laid out And so the tools that process can look for it We want to make sure that the critical pieces are there, right? So right, so the question here is To be want So example that you is bringing up is is an example of a drill down, right? I mean if I want You know, if I get a policy report that represents a violation and I want to now drill down to get to details What is the way I would do that, right? And is that going to be a first class concept? In the schema or is that going to be hidden in the data area? This is the question Now there is there is a Support of that through aggregation at least to one level, right? So the example That I was thinking about for multi-tenant environments Is let's say you have Several, you know workload several things in the namespace or a set of namespaces that belong to a tenant You may want to create, you know, maybe one of the things that we are trying to do is Report per application perhaps one report per namespace or maybe even just one for the tenant and The structure allows that just by you know saying, okay, what your scope of the report is and then what the results are Now what we haven't thought through or at least I haven't You know thought through is if you want reports to be nested or reports to reference each other How would we do that or support that? In again in theory, you could you know, you could use The resource field to point to other sub resources or even CRs Of within the results map So you can be represent the image Vulnerability CR Details in the resource field here Um, it's kind of hard because currently it's string string map, right? So it's just no the resource field the resource field is a object reference So it would have name kind namespace Oh Resource no results. Okay. I was I was talking about the data. Um Yeah, so the resource field, um, which I'm highlighting that is An object reference the data is just for additional data just like annotations, right? Okay, I think as long as we can specify Like if it's a namespace the resource then we can specify namespace name and kind Yes, and we can specify multiple of them Then this should be fine So the multiple is goes back to what Erica was mentioning then we should probably have a resource and a resource selector and the you know, I guess the Kubernetes way of doing multiple is through a selector so then you would have to put a label and Um, you know apply the right label selector over here. Okay. Okay. So if it's a single resource, we use resource inputs multiple we need to provide a label selector Correct. So that that could be a good solution to allow both Mm-hmm Okay, good. You did you have anything else? Um, no Okay, feel free to drop um So I think thank you and Gus. I think you heard some comments, right? Yep, let's go back to Yeah, so this Gus you're mentioning about multiple Clusters in a single hub or I guess like a management cluster like I was mentioning Anything we could do to help with that in the structure or? Um, no, I really added that comment to to basically put my team to see if um If if there was something additional we would need to handle that case. I think um our management of um You know policies that are you know being distributed to multiple clusters are probably Uh, kind of falling into this multi tenant You know idea here Uh, you know, it's just a a different Way of thinking about it So, um, you know, I I just wanted to stick something in here in case We lost you he was he was the main one I was interested in whether he had any comments on it, but I think There's nothing specific. I know of that. I feel like we we need to add um Unless someone else from the team So Gus I thought that uh, what we wanted was to represent within the policy report scheme The identity of the cluster wasn't it? Yeah, and and and that's what we do today sort of through the the the namespaces with with policies If if there's something extra That we want to try to add um namespaces Okay, so namespaces on the manage cluster They don't help us with the the identity of the manage cluster, right? No, no, I'm talking about namespaces on on the the hub cluster Right, right, but the but the policy report is coming from the manage cluster, right? So it's it's both, right? It It would be in both places so on the manage cluster it would it would exist um As the namespaced resource or or cluster scoped resource depending upon what it's representing, but then on the hub cluster it would always be the um namespaced resource where the namespace is associated with the manage cluster Right, so so if there is a and if I understand correctly the hub cluster is what's Quaring all these manage clusters and pulling this information or somehow being sent events is is that the model Right, okay So then it should have the source information, right? So doesn't seem like we need to I mean Yeah, I think It could be that if the manage of the hub cluster and your nomenclature is getting this information And if it's also storing these long term, right? Does it need to add or enrich this further and add some other information like to say which cluster it came from and Um, where would maybe that's what Jaya is thinking about. Where would that go? So potentially that could go into again like the metadata right to say like source cluster or manage cluster ID or however you want to Reference that Right. Yeah, so that that's what I was Wondering if we would like to do that because I think I think the way you know open cluster management slash rackum is doing it is one way, right? And I think I want to kind of Have this policy report independent of that independent of how we represent things Um, because I think this information could be consumed obviously will be consumed by rackum, but Also be consumed by other things, right? So so I think uh I think it's good to include the cluster identity into the policy report itself so that you know if this information is also consumed by other tools whether it is for metrics or other manageability tools, right? I think the way I would recommend it is that you have a Like what we want to make clear is that when you have references to objects those should like direct object References, I think we it would be kind of weird if those referenced Things outside of the current cluster Hmm. Do you have this? How do you handle? Policy can't be the only place with multi cluster where some of this comes up. But you're trying to reference Talk about objects that are in different clusters Is this a common problem? Um, so yeah, I haven't seen any example where you're linking or have pointers across clusters um in in the cluster api in the capi Stuff everything that represents Other cluster information like clusters which are being provisioned and managed Is stored as a cr in the management cluster itself So yeah, in this case if you're transferring this from one to another Right like the object information like the name spaces, etc. Would it make sense in the hub cluster? in in in the nomenclature that Gus was using but So it would have to be somehow it would have to be tagged that hey, this report came from some other clusters. So any object reference is referencing objects in that cluster But yeah, I'm not sure some kind of identifier then from one of those projects And the other question is how much like if I'm running a controller inside a cluster Do we have information like I don't know like through just the standard Bootstrapping and apis. Can you get I'm sure you can look up? Of course the api server ip address and things like that. But is that that's not a immutable ID, right? So I don't know how we would reference these clusters From inside the cluster So it almost seems to me that if there is again some higher level management system like in this case the hub cluster that should be responsible for Transforming the data enriching the data if it's storing it in its database, right? So it's retrieving it from the source But at that point you can you know, you can add additional metadata and update information before Putting it into the hub cluster database. Okay. Yeah, because the hub hub knows where it's coming from is your point Right. Okay. I think we'll live with that for this one. Um, go ahead Gus. Did you have anything else? Are you going to go in order or Yeah, I can I can stay I don't need to drop Okay. Um, so I think there was yet another So Robert you had a previous comment over here on the toll spec status and design and I tried to Write that up in a better manner like to describe what the difference here was and why we were deviating from that model not sure if you had Some time to take a look at that if there's anything else we need to write over here the seams I'll take a look at it. I'll look after after the call and And close it. Okay. All right There's a comment from Mary on labels So I think um So the question over here was can can we do something like kubectl get policy report and then deployment my deployment? So and I if I understood that correctly It seems like I mean you can you can put labels on the policy report. So that should be possible Is there anything else? and of course we have like also like things like the scope and resources, but the labels would be an easy way if if a policy is related to a particular resource That could be also added into The labels, but we're not you know, we're not sort of mandating that or requiring that Anyone have any other thoughts on this? Yeah, well, I mean in some sense, this is where the namespace Interacts with access control know kind of way that kubernetes is not is clunky about Ideally write namespaces can literally group together Things like your deployments and in your violations To help you find them but at the same time we probably want to be pretty strict of policy reports can be read by perhaps Any user namespace, but only written by the tool And the tool or the controller can only write but not read to keep it within a mandatory access control model So we can maybe specify a little bit more of what the Are back by default set this up securely for one otherwise, I think the You know any people can label labeling is really flexible and it's just whatever works best for you and your kind of system, right? If we really have specific labels that we know we need to kind of Standardize across all distributions That's what we should talk about standardizing. Otherwise, I think it's Love to see people, you know, use labels to their best Right Yeah, the one that I had suggested over years is that we have something called policy You know under the policy group like just engine to say like who reported this, right? Whether it's coup bench or governor or gatekeeper or rackham or something else Yeah, maybe I could see an engine and sort of a Sweet or some other kind of sort of versioning or something on it, but Okay. Yeah, I'm sure as we start using this in real world examples will come up with More more structure more ways of tagging and classifying that that would make sense Notice we don't talk about owner references here Yes, um So initially when we were dealing with just violations, it was fairly straightforward to have an owner reference back to the object, right that was Creating the violation Or the policy rule But now that we've moved into a more generic structure. Yeah, there's no mention I mean it would be up to the engine And potentially the engines just recreating this report periodically, right when not really maintaining this So the so the question you brought up in terms of What happens if I like well, of course if you delete the namespace that contains this report the report will get deleted But if you delete the pod or the workload The report may not immediately get updated, but the next time it gets generated The pod of course won't be referenced, right? There'll be a new set of results In that report so Yeah, so I hadn't other than that. I'm not sure what else we would want to Mention or how we would want to deal with you know, if there's a need to have Real-time sort of updates if you delete the pod, does it have to be does the report have to be updated right away? I don't think that's a strict requirement, but open to suggestions Yeah, it doesn't seem like we have any specific thing that is specific to us not the general Problem so I think we don't have to say anything specific All right, uh, so moving further down So Gus you mentioned On yeah, yeah, you already talked about url some um, there's certainly the Drill-down case And and there could be other cases too, you know in in some cases, you know, it's probably fine that a Annotation or or something could be created Right, you know it I wanted to call it out because it it was One of our first customer requests when when they saw a similar framework The uh, you know your your engine label Um, you know, it's going to reference in in some cases like you mentioned coup bench or or something You know that that has a you know specific home that could be linked to um, I don't I don't know, uh That it's worth defining specific url That goes along with that I think the main discussion point was probably what you already covered You know related to the selectors and and that um, I forgot what the field was but Okay, yeah, so I think the prior discussion was on the resource selector Um, see they're having a single resource or a resource selector And here I think yeah, this was on more the message and I think you had a subsequent follow-up comment on also severities, right? Right I think this url went I think I this makes sense and I think I've seen this before you often want Like basically what's the authority on this thing and where is it defined when it's an external standard? Right for like if there's a cde report you kind of want linked to that. Is that kind of what they were asking for a little bit? Yeah, yeah, so there were uh multiple different links. They requested, um, you know one one could be a link to You know the engine or or the product that's generating the report because it You know that product may have additional details uh to provide Of course a link to like like your example the cde so that's more specific to um the particular Um security control that You know, you know that that's been detected And uh I guess the other Link would would be maybe some some more general links on um You know it could could be well like the link out to kubinch or You know something where there's some more general information on on you know the scope of the policy or something like that So there were there were three or four different little areas. I think where they were Wanting some more details um That varied from policy level down to the results details So but could those be put into the data map as different fields or How would you know, so obviously if you're looking at this in a product with the User interface or a web interface or a console then you would you know You expect those to be translated into links and things you could click on But in terms of the raw data itself, um I mean I don't see how that could be Yeah, yeah, so every link you would have some kind of title or Description that goes along with it properly and um it um Yeah, so I was thinking that uh, you know the severity and the summary violation Detail would be good to kind of bubble up About the data, right the data could be more giving more details, etc, right? Because right now, you know, I had a question actually about this message Um, the message field is a description of the benchmark or the policy So it's basically a description of what is being checked, right? It is not a description of What was the result of the check? Because it looks like the only result we have is whether it passed or failed or warning or error or skip, right? Right Yeah, so this is this data information is intended, you know and just that Look at what I was looking at like Output from tools again like kubench and others which we're just showing a summary screen, right? And the idea would be of course you can click on each of these to get more details And I think what we're discussing is where where are those details captured, right? Is it back to the policy engine or do we want to standardize on that next layer of details as well? So Yeah, I'm not Sure, and and there's no doubt that this information like even categories and severities is Super important. That's definitely not the question The question is do we need to standardize or try to standardize attempt to standardize? Right away or is this something, you know, like as we talk about, you know, we had even Mentioned like the CVSS scoring and things like that seems like we could, you know As we get familiar with and look at tools which are using the structure We will have a better sense for what to pull up And make top-level fields yeah, I think From uh, you know, given what we are working with this a management tool anything that we show on Our dashboard or expose through api is we want it to be actionable, right? so In order to action on a violation, I think the first thing the upstream will need to know is how critical is this Right, so that is why I think the severity becomes important, right? Because otherwise you have They wouldn't know which one to prioritize an action upon right, right? It seems to me that at least the severity is something we want to bubble up is what I would say Right, but could could it not be still used where the severity is in the data map? I mean, I mean you could My point more is that whatever is in the data map I view as Really not standardized because it is pretty freeform And it's not spec'd out, right? So I think it's going to be hard for us to write That's that's a challenge. I'm facing because I think the way I look at it is okay So rackum is managing a bunch of managed clusters. It's collecting all these details, right? I'm bringing it to the hub And then it provides a way to action them, etc But then in a real Hybrid environment, I fully expect that customers would want to pull the data from rackum and maybe feed it to something else right so So think of it Yeah You know that that makes complete sense, right? And but the question is Is there a standardized way of reporting severity or or score or some other? Probably several right? Maybe we should make our own just add another um Yeah, so I don't know like and It just seems like a topic we would want to research and Dive into a little bit deeper and then come up with some proposals if there's a way to standardize or Even if you're dealing with multiple policy engines one way of managing it as you look at the engine label And then based on that you can expect certain fields in the data Right. So yes, it's reform, but it could be That each engine publishes its subset of data, which you know, just like with annotations, right? That's the approach people folks have taken with annotations That if you're using let's say some hci which has its own networking It's expecting a certain set of annotations to be there to drive the configuration of that networking So I don't see why it can't be used even though it's you know, put in data It's just is it worth trying to standardize at this point Without sort of seeing that real world experience is my question. Okay. Yeah, that's fair enough. I think What I'm saying is we will definitely put that field in it, right? I think absolutely Yeah, yeah, so And anyway, since we are going to be open sourcing what we are doing. I think we can get feedback and evolve it and bring it back That's fine Okay. Yeah, and this probably is the first thing once we once we have this basic structure in I think the severity and scoring As you said, right? That's the first thing that our knobs team would want to do is to say Okay, is this something that I should care about and then Uh to Gus's point is like, what do I do about it? Right? So give me a link. I can click on to Go read up on it and see what to do next, right those absolutely see Yeah, that's going to be required. I think those two we will definitely add in the data field the severity and the The download link Okay, I should know let's make sure also we're not there's so much Obviously policies are rich subjects that right We don't have to put everything in here and if we come and realize like there's actually a different new Another resource that would complement. Well We can talk about that in the next in another iteration too, right? Yeah. Yeah. Yeah, I understand Yeah, I was just like I I keep thinking of things I want to add into those Yeah, yeah, yeah, I don't want to step back Yeah, trust me, you know, I worked on uh some spec like this uh ages ago on A common event format and uh We had to be very careful on Not making it too verbose, right? So so I understand. Yep like Oh, maybe we should have like a you know, as assigned You know so that we can verify the engine on the created this report or So I think probably getting Going too far here, but Okay. Yeah, so let's uh, let's you know, kind of at least document that this is something that we intend to work on as a next step, but Um, so we already is and then having these links because both of those things would be important But we can revisit once we agree to the or get get the basic structure Yep Okay. All right. So I know we just have a few minutes left, but really quickly wanted to show Uh What the cr is looking like and I do have a pretty straightforward um So I just use good builder for now, but I'm gonna uh before I submit the prl Clean this up and I was thinking we could just use the the we don't really need a controller So we can probably simplify what we actually need to maintain Um, so I'll see what how much of this stuff we can remove and just keep the CRD generation portion of it that could builder also uses underneath, right? so Anyway, so the structure Is pretty much what we what we have in the document There were a few minor things I did like I mentioned on the time and the counts I just I removed that because the creation time is just part of every resource But we could you know, we could go back and add things back But this is what the result structure sort of looks like. It's actually I I think I have an example Yeah, I do. So I'm just kind of playing around with examples. So if you look at, you know from Um And we could do this as minus or yaml This is sort of what it would look like in the yaml. Um, you know where This is the results and then there's a summary which just has the counts There's a scope here in this report. Um, and then if you just look at it in the cli Without So it would look something like this, right? So it's saying there's a report This is the scope of the report and it's showing some pass fail one error skip and the age Which is from the creation timestamp So yeah, nothing nothing too earth shattering, but basically it's taking looks good Yeah, yeah, pretty good Is there a way to make it so that just like no slash docker desktop the way they do Printers. Yeah, that's my That's my You are Right. So unfortunately where there's some limitations with this. Um, so right now the tool we're using You building Yes, too And it it uses a framework to generate CRs, right So I couldn't find a way to do that, but that's uh, yeah I was looking for that as well to see if you could combine the scope fields into one So we can file a separate issue for that and see if there's a better way to manage I also want to see like I don't know if anybody on the call has experience with this I was trying to look for a tool to generate documentation and there are some tools out there which can do that but none of them seem to work With with kube builder crs And there's open issues filed on kube builder v2 to you know in terms of how to generate documentation for api objects So be nice to you know, whatever we have right now in the In the google doc to be able to automatically generate, you know information like that and document the cr structure, right? So I'll continue looking but if anyone else has any experience on that Let me know Are the tools specific to kubernetes too and they have I think and I'm not exactly sure what all the go auto doc kind of stuff they use is but Will be told and made to do it Yeah, so we'll have to I think before we you know go And as we start Yeah Showing this to folks. I'm sure we'll have to figure out some way of doing that. So in first case we'll have to write something that looks at the crd and Uh, just generate some simple markdown Did you say that this is on github yet? No, not yet. Um, so right now I just have this in my own repo, but I'll clean it up and submit a PR Probably go ahead and push it push it now if you want earlier. It's okay. We won't judge Okay Yeah, no, I just wanted to find a way to remove all of this other fixtures. We don't need Um from co builder, right like with all the go types and controllers and things like that which um, so yeah, I'll I should be able to at least submit the PR in the next day or so Cool ping us on slack maybe When you do All right. Yeah, we'll do um and again examples would help. So if anyone has you know other Additional examples, I know last time we had talked about doing like two or three examples from rakam and Yeah, yeah, in fact both you and girls have done the examples. That's how we gave the feedback So do you want us put into this doc itself or how do you want to do it? Yeah, or just send them on the slack channel or put them in the Yeah, I guess you could add them in as a comment in the doc or just put them in the slack channel and I'll add them to the doc um, I don't know if everybody On slack, maybe just let me know if someone wants to write to the doc. I can give him right access because right now It's like world readable and anyone can comment But not everybody can edit the doc We can just add a comment right because Yes, we can add comments Okay Okay, so we'll do that Later today. Okay. That'll be great. So so the next step is uh next week. There is a call. Is that right? Yes, so I don't know if you'll it's the next week where my suggestion would be let's do another internal call go through everything Um, and we should have like the the cr working by then right so we can try it out in different clusters And then if you know next week, we'd also talked about potentially You know presenting to sick Say god, right We could do that next week, but it may be a little bit too too early if um, if So maybe we do that in their subsequent meeting if not next week I would at least be in favor of You know, even if it's not like presenting it as Ta-da here like making sure that we are all you know on the right track and instinct with them I think uh, we don't want to yeah, we could give them a quick update Yeah Okay, so is that is that called the same time or when is that called it is? Uh at to do 11 a.m. My time specific time Okay So similarly if I think if you join I will put in the chat Yes under contact if you join the mailing list Okay, so so we will meet next week the same time in this work group and then Later that later that day is when the say god thing is right? Yes Okay, got it All right Very good. Okay. Thanks everyone Thank you Have a good week You too